Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Needed With Existing Problem


  • Please log in to reply
13 replies to this topic

#1 drgonzo

drgonzo

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 13 November 2006 - 03:50 PM

hey here is a post of the smith fraud cleaning report. also when i start up my computer now there is in the task manager section there is a file.exe running with lots of numbers in it. there are roughly 30 of them with the same long number which if i dont shut down before opening my internet connection my computer freezes.
any ideas how to get rid of this????
cheers

SmitFraudFix v2.117

Scan done at 20:30:25.99, Mon 13/11/2006
Run from D:\VIRUS CLEANER\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix run in safe mode

C:\


C:\WINNT


C:\WINNT\system


C:\WINNT\Web


C:\WINNT\system32


C:\Documents and Settings\E Byrne


C:\Documents and Settings\E Byrne\Application Data


Start Menu


C:\DOCUME~1\EBYRNE~1\FAVORI~1


Desktop


C:\Program Files


Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


pe386-msguard-lzx32


Scanning wininet.dll infection


End



and here is a hijack this new log.

Logfile of HijackThis v1.99.1
Scan saved at 20:47:51, on 13/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
D:\VIRUS CLEANER\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [Winstv] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstm] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winsta] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winsts] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstj] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstw] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstg] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstq] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstc] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstn] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstx] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winsth] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstr] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstz] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstt] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstd] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstk] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstu] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winste] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winsto] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstf] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstp] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstl] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winsti] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winsty] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstb] C:\361101032259477107.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} - http://www.www2.p0rt2.com/files/_ipsec_.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {33331111-1234-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl231bd.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0FFF0C-9305-49AF-8B6C-C184F997AD82}: NameServer = 159.134.237.6 159.134.248.17
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINNT\system32\vbsys2.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

cheers for any help

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:09 AM

Posted 13 November 2006 - 04:02 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

Go to the folder where Hijackthis is kept and rename the hijackthis application to "showme".
This can be done by right clicking on the program and clicking "rename".
Press enter, then open "showme.exe" by double clicking.
Post a new Hijackthis log from the newly named application.

Also it looks like your Panda Antivirus is out of date, it needs replacing.
You need to install an antivirus program as soon as you can and run a complete scan of the computer.
AVG and Avast are excellent, free antivirus programs..
Never install more than one antivirus on your system - several together can cause problems and decrease performance.

David

#3 drgonzo

drgonzo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 13 November 2006 - 04:36 PM

hi david, thanks for the reply, here is the new log and im also downloading avg software at the minute, as ive no antivirus software at all running apart from ad-aware.
cheers

Logfile of HijackThis v1.99.1
Scan saved at 21:32:38, on 13/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
D:\VIRUS CLEANER\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [Winstv] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstm] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winsta] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winsts] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstj] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstw] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstg] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstq] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstc] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstn] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstx] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winsth] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstr] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstz] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstt] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstd] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstk] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstu] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winste] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winsto] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstf] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstp] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstl] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winsti] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winsty] C:\361101032259477107.exe
O4 - HKCU\..\Run: [Winstb] C:\361101032259477107.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} - http://www.www2.p0rt2.com/files/_ipsec_.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {33331111-1234-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl231bd.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0FFF0C-9305-49AF-8B6C-C184F997AD82}: NameServer = 159.134.237.6 159.134.248.17
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINNT\system32\vbsys2.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

Edited by drgonzo, 13 November 2006 - 04:39 PM.


#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:09 AM

Posted 13 November 2006 - 04:39 PM

It doesn't look like you've installed an antivirus.
This is an imperative step in the process, or you will keep getting reinfected.
Please install one of the ones I recommended above, and post back with a new Hijackthis log.

#5 drgonzo

drgonzo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 13 November 2006 - 06:39 PM

hey david, ive installed AVG ANti Virus and done a full system scan, it seems to have cleaned up alot of stuff, here is a new log from hijackthis.
can you explain what scoobidoo and slotchbar etc and the lines below it mean in the hijack this log?
thanks again.


Logfile of HijackThis v1.99.1
Scan saved at 23:33:13, on 13/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\avgamsvr.exe
D:\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
D:\avgcc.exe
C:\WINNT\explorer.exe
D:\VIRUS CLEANER\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] D:\avgcc.exe /STARTUP
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} - http://www.www2.p0rt2.com/files/_ipsec_.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {33331111-1234-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl231bd.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0FFF0C-9305-49AF-8B6C-C184F997AD82}: NameServer = 159.134.237.6 159.134.248.17
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINNT\system32\vbsys2.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - D:\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - D:\avgupsvc.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Remote (RpcRemote) - Unknown owner - C:\WINNT\system32\remote.exe (file missing)

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:09 AM

Posted 14 November 2006 - 11:17 AM

Hey,

Thanks for installling AVG, but it looks like you installed it on a seperate hard-drive to where most stuff is installed.
It looks like you installed it on your D:\ drive, did you mean to do that.
Scoobidoo and slotchbar are both malware, something we want to try and remove.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Also, Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

#7 drgonzo

drgonzo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 14 November 2006 - 06:32 PM

hi, i had to install the AVG on D drive as C was full. its a very old hard drive, so not a lot of space.
here are the logs.

combo fix log

E Byrne - Tue 2006-11-14 23:24:06.15 Service Pack 4
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\E Byrne\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-14 to 2006-11-14 ))))))))))))))))))))))))))))))))))


2006-11-13 22:51 816,672 --a------ C:\WINNT\system32\drivers\avg7core.sys
2006-11-13 22:51 4,224 --a------ C:\WINNT\system32\drivers\avg7rsw.sys
2006-11-13 22:51 3,968 --a------ C:\WINNT\system32\drivers\avgclean.sys
2006-11-13 22:51 28,416 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2006-11-13 22:51 26,880 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2006-11-13 22:51 18,240 --a------ C:\WINNT\system32\drivers\avgmfx86.sys
2006-11-05 01:48 24,576 --a------ C:\361101032259477427.exe
2006-11-01 17:47 53,248 --a------ C:\WINNT\system32\Process.exe
2006-11-01 17:47 40,960 --a------ C:\WINNT\system32\swsc.exe
2006-11-01 17:47 288,417 --a------ C:\WINNT\system32\SrchSTS.exe
2006-11-01 17:47 135,168 --a------ C:\WINNT\system32\swreg.exe
2006-10-31 17:41 205 --a------ C:\WINNT\system32\r.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))




(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WinampAgent"="\"D:\\Winamp\\Winampa.exe\""
"LoadQM"="loadqm.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Synchronization Manager"="mobsync.exe /logon"
"AVG7_CC"="D:\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000003
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"="internat.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"AVG7_Run"="D:\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"SystemCheck2"="{54645654-2225-4455-44A1-9F4543D34546}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: Tue 2006-11-14 23:24:35.68
C:\ComboFix.txt ... 06-11-14 23:24


new hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 23:26:25, on 14/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\avgamsvr.exe
D:\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
D:\avgcc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\explorer.exe
D:\VIRUS CLEANER\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] D:\avgcc.exe /STARTUP
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} - http://www.www2.p0rt2.com/files/_ipsec_.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {33331111-1234-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl231bd.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0FFF0C-9305-49AF-8B6C-C184F997AD82}: NameServer = 159.134.237.6 159.134.248.17
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINNT\system32\vbsys2.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Remote (RpcRemote) - Unknown owner - C:\WINNT\system32\remote.exe (file missing)

uninstall list

Ad-aware 6 Personal
AVG Free Edition
Digimax A50/Cyber500
Digimax Master
eircom net tools
ewido security suite
HappyLand
HijackThis 1.99.1
hp deskjet 940c series (Remove only)
Java 2 Runtime Environment Standard Edition v1.3.1
Macromedia Flash Player 8
Microsoft Office 2000 Professional
Snowfall Screen Saver
Virtual Turntables
Winamp (remove only)
Windows 2000 Hotfix - KB823980
Windows Blaster Worm Removal Tool (KB833330)
WinZip
Yahoo! Install Manager
Yahoo! Messenger Explorer Bar

cheers.

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:09 AM

Posted 15 November 2006 - 03:35 PM

Hello there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} - http://www.www2.p0rt2.com/files/_ipsec_.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {33331111-1234-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl231bd.cab
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINNT\system32\vbsys2.dll


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINNT\system32\vbsys2.dll
C:\361101032259477427.exe
C:\WINNT\system32\r.exe
C:\WINNT\system32\remote.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Please download Ad-Aware SE Personal and install it.
If you already have Ad-Aware SE, please configure it as indicated below.
If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

Run Ad-Aware, and click Check for updates now.
Select Configurations (click the Gear wheel at the top) as follows:
General Button > Safety & Settings > Check (Green) all three.
Tweak Button > Cleaning Engine > uncheck "Always try to unload modules before deletion".
Click Proceed.

To start the scan, Click > "Scan Now" at left.
Select "Search for low-risk threats".
Select "Perform full system scan".
Click "Next".

When the scan has completed, select Next.
In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects".
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

David

#9 drgonzo

drgonzo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 15 November 2006 - 07:46 PM

hi david, i followed all instruction and most viruses and threats seem to be gone. i didnt fo the kaspersky webscan as it takes over one hour to download of a 56k modem. is this really neccesary to complete removals??

here is the hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 00:43:03, on 16/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\avgamsvr.exe
D:\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
D:\avgcc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\explorer.exe
D:\VIRUS CLEANER\hijack this.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] D:\avgcc.exe /STARTUP
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0FFF0C-9305-49AF-8B6C-C184F997AD82}: NameServer = 159.134.237.6 159.134.248.17
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Remote (RpcRemote) - Unknown owner - C:\WINNT\system32\remote.exe (file missing)

thanks

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:09 AM

Posted 16 November 2006 - 01:11 PM

I guess it's not absoulately necessary, no.
I understand it's a big download on dialup, let's fix what we can see.
Please fix these two entries with HJT:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

Please find an delete this file (if present):
C:\windows\system32\blank.htm

Please click on start > run > and type: sc delete RpcRemote
Hit enter and let the DOS windows open and close. This is normal.

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

Close all instances of Internet Explorer .
Go to your control panel and open "Internet Options".
Click on the "General" tab.
Click the "Delete Cookies" button, then the "Delete Files" button.
When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

Go to start and click on the "run" button.
Type the following in the fox --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

Reboot and let me know how the PC is running.

#11 drgonzo

drgonzo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 16 November 2006 - 07:05 PM

hey dave, everything seems to be fine... one thing i couldnt do was run "scdelete rcremote" it said error message, but apart from that the computer is running so much better now.

your help was very much appreciated.
regards :thumbsup: :flowers:

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:09 AM

Posted 18 November 2006 - 05:49 PM

Ah I see, you are running Windows 2000, sorry didn't see that.
Click Start> Run>and type in: "services.msc"
Click OK.
In the services window find
RpcRemote
Rightclick and choose "Properties". On the General tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. File-Exit the Services utility.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":
RpcRemote

Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.

Reboot a final time and post a Hijackthis log.
Also let me know how the PC is running.

#13 drgonzo

drgonzo
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:01:09 AM

Posted 24 November 2006 - 12:15 PM

ok here is the new log, the computer seems to be running pretty smoothly, no pop us or viruses.
id like to say thanks for all the tips and tricks you helped with.
thanks

Logfile of HijackThis v1.99.1
Scan saved at 17:11:27, on 24/11/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
D:\avgamsvr.exe
D:\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
D:\avgcc.exe
D:\VIRUS CLEANER\hijack this.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] D:\avgcc.exe /STARTUP
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD0FFF0C-9305-49AF-8B6C-C184F997AD82}: NameServer = 159.134.237.6 159.134.248.17
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:07:09 AM

Posted 24 November 2006 - 12:17 PM

Ok, great news, glad to be able to help. Before I let you go can you do one more thing.
Go to this folder where Hijackthis is kept and rename the hijackthis application to "showme".
This can be done by right clicking on the program and clicking "rename".
Press enter, then open "showme.exe" by double clicking.
Post a new Hijackthis log from the newly named application.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users